HTTPS Everywhere Rule Sets for UMBC, tools.ietf.org

The server tools.ietf.org supports TLS, but my browser's HTTPS Everywhere seems unaware of this fact. So I wrote a rule set for that server. I have previously posted here an HTTPS Everywhere rule set for an oft-used (by me) server at UMBC; for convenience, this is reproduced below.

<ruleset name="tools-ietf">
  <target host="tools.ietf.org" />

  <rule from="^http://tools\.ietf\.org/" to="https://tools.ietf.org/" />
</ruleset>

<ruleset name="userpages-UMBC">

  <target host="userpages.umbc.edu" />

  <rule from="^http://userpages\.umbc\.edu/" to="https://userpages.umbc.edu/"/>

</ruleset>

Where do these rules go? See the EFF docs or my prior description.

We are Twitter's Twits, not their Customers

I've been disturbed by the invasive nature of many, many android apps. For example, here are the permissions requested by the Twitter app:

• Why does Twitter need my location? They don't.
• Why does Twitter need access to my accounts (note plural)? They don't. Why would I want to hand this over to them? That would be simply stupid.
• Why would my contacts want me to hand their information over to Twitter? The naive ones may not to think to care, but most would likely prefer that I did not.
• Why does Twitter need access to my Google service configuration? They don't. 

Clearly, we are not Twitter's customers, but rather Twitter's twits. Why use their app when you can simply log in to their service via browser?

Additionally, there are some ads that are simply blatant phishing attempts:

This is from the tunein app, which provides searches for radio stations and radio programs to stream. It's a nice service. It's ad-supported. The ad above, just above the highlighted Related tab, says I have one new message. So if I click that, where does it take me? Not to a message, or, rather, not to a message from anyone I could imagine listening to. It's a phishing ploy.

Amusingly Unacceptable Android App

I decided to play around with an office app on the Android, and Kingsoft looked good with over 45k reviews and an average review of 4.6 The terms of use had one agreement with Google Analytics. The other is shown below:

I don't think I really need this app after all.

Improve Your Hosts File for Christmas

Opera has a nice feature that one can selectively block advertising. When I do my daily once-over of web sites I visit, I do it in Opera, and then delete all private data. However, for whatever reason, ads from bannerfarm.ace.advertising.com regularly escape Opera's block content feature. However, this site violates my if it moves or makes noise, kill it policy. Adding this to the hosts file does the trick:

127.0.0.1 bannerfarm.ace.advertising.com

127.0.0.1 ace.advertising.com

127.0.0.1 advertising.com

127.0.0.1 www.advertising.com

127.0.0.1 advertising.vip.aol.com

127.0.0.1 advertising-vip.egslb.aol.com

My Preferred Firefox Extensions

• CS Lite Mod (1.4.8): cookie management
• Download Statusbar (0.9.10)
• HTTPS-Everywhere (3.0.4)
• NoScript (2.6.3)
• Padlock (0.5.0)
• Web Developer (1.2.2): reliable referer blocking

Useless crap Ubuntu adds to Firefox that is easily disabled, but not so easily uninstalled: 

• Global Menu Bar Extension
• Ubuntu Firefox Modifications

Google Does Evil and then Lies About It

http://www.businessweek.com/news/2012-08-09/google-said-to-face-fine-by-u-dot-s-dot-over-apple-safari-breach

Today Google agreed to pay apple $22.5M for allegedly breaching Safari users' browser settings to set cookies. That's evil.  The payment is apparently a record high, but for Google is just a slap on the wrist

But then the above-linked Business Week article quotes Google to say "...[we have taken] steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.” This strikes me as fundamentally dishonest. No, cookies gather no information. However, web servers accessing cookies left previously do gather information, so placing the cookies aided Google's gathering of information about users' browsing behavior. And a user's browsing behavior strikes me as private.

Chrome as Nagware

Now whenever I start Chrome, it asks me to sign in to the browser. Why? It's a browser, not an OS. Apparently this will let me sync my bookmarks, history, and settings on all my devices: "With Chrome's sign-in feature, you no longer need to fret about your bookmarks or apps being "stuck" on one computer." Who's enough of a dweeb to fret about this stuff?

Different machines have different characteristics, so maybe I want different settings. Maybe I want different bookmarks, history, and apps at home and at work. Maybe I want to try out a setting or an app, but not spread it across all my systems until I decide I like it. Maybe an app is stealing data. Do I want it spread across all my machines quickly and automatically?

I think this is a feature that some people will want. But the way Google is going about it, nagging us to log in every time we start the browser, apparently with no setting to disable the request, feels coercive. And when a corporation attempts coercion, I worry about ulterior motives.

Still Happy to Not Have a Facebook Account

This morning facebook changed their users' contact information to Facebook addresses. Lovely. So now non-Facebook-users will have their e-mail addresses captured by Facebook if we respond to mails from those addresses. Probably in itself not a big deal. But it's just another example of Facebook knowing they can treat their users with no respect and few of the users will leave.

Another issue is that as people start responding from their Facebook addresses, will others trust that the sender really is who it seems to be? Will people open bogus Facebook accounts to spoof other people? Clearly yes, but that happens with most providers. Again, probably not really a big deal.

Of course, current Facebook users are annoyed because they have to either change the contact info in their profiles back to their preferred e-mail addresses or start checking e-mail in multiple places. Do you really want e-mail between your financial institutions and yourself going through Facebook? I don't think so. Do you really want work-related e-mail going through Facebook? I don't think so.

It'll be a little while before I respond to e-mail from Facebook accounts. Hopefully others will resist this power grab.

Zeitgeist Spyware Framework Installed by Default in Linux Mint 13

I thought I would take a moment to pull together information on the Zeitgeist monitoring system which has become a part of Gnome and is inexplicably included within Linux Mint. First, Zeitgeist is not itself spyware, but it collects much information about a user that would be one-stop shopping for any spyware that finds its way onto a system. It provides no discernible benefit, and is dangerous to keep around, so get rid of it. More information:

1. My take on what Zeitgeist is.
2. Zeitgeist was dropped as a component for Gnome 2.32 but the Ubuntu folks decided life wouldn't be complete without a spyware framework.
3. Removing Zeitgeist.

An Even Nicer Little Improvement in Linux Mint 13

Mint 13, as is common in the Ubuntu world, includes a framework for spyware called zeitgeist. In the past it was challenging to remove since apt would then try to remove the entire gnome environment. So my reaction was to disable it to the extent possible, but it's still dangerous to have this stuff on the system. However, on a Mint 13/Mate system dumping zeitgeist is easy:

  sudo apt-get remove zeitgeist zeitgeist-core zeitgeist-datahub

Yippee!

This is a followup to Nice Little Improvement in Linux Mint 13.

XKCD & Klout [sic]

Yesterday's XKCD takes an anti-Klout stand: http://xkcd.com/1057/. I wasn't sure how seriously to take this, whether it was free advertising for Klout, or even what Klout was, other than a misspelling.

So I visited the site. Klout is amazingly stupid. The effect the XKCD piece had on me was to add various Klout-related URLs to the /etc/hosts files on various of my PCs [ mapping them to 127.0.0.1 ].

Declining a Privacy Policy

I think this will have no effect, but I just declined a privacy policy.

My employer recently changed prescription drug benefit plans. The new cards have decals explaining that we should visit a web page to activate online benefits. There is no explanation of online benefits, why I would want them, etc., unless it was in the paper which I shredded and recycled.

So I went to the web site, express-scripts.com, which right off the bat earned two raspberries:

1. The site doesn't allow "special characters" in the password. Is there any conceivable justification for that, other than to lower password entropy, making passwords easier to crack?
2. There was no explanation on the page that they were restricting the character set of the password, thus forcing me to go back and try again.

There were two separate privacy policies, each of which went on for pages and pages. And pages. It was clear that one thing they intend to do is to share my personal information for marketing purposes. There was a brief statement suggesting I could amend the agreement, but no information about how. After a couple minutes, it became clear that they did not have my best interests in mind both by the length and complication of the privacy policy and the fact that they want to make money from anything they learn about me.

So I declined the privacy policy. That took me to a page explaining that I had declined--I knew that--and giving me a choice of going back or logging out. I logged out. It would have been nice if they had allowed me a text area to explain why I had declined the onerous privacy policy, but alas, no. I guess they decided against having an extra customer service placebo.

Chrome Cookie Management: Could be Better

I went into my Chrome settings this morning to delete unwanted cookies. Clearly I had waited too long, and should have simply deleted them all and then dealt with the consequences later. Instead, I went through many, many cookies individually and deleted the vast majority of them. Some thoughts:

1. It would be nice to have a select-all control with the ability to then go through and uncheck a few.
   
2. Why is the server address limited to such a narrow field? Even when I maximized the window, the server address field stayed narrow, and there was no adjustment gadget to make it wider. Thus many of the server names were not fully-visible.
   
3. From now on I do more of my browsing in an in cognito window, or in Opera. I use Opera for various news-related sites and blogs that I visit daily, and my Opera settings are to delete all cookies on exit.
   

People Don't Really Do This, Do They?

Yeah, I know, they really do. I was meandering about in Yelp and clicked on find friends. Yelp wants full access to my Gmail account, with which they would do ... something.

It's not clear if they would tell me which of my contacts have yelp accounts, or send them e-mail, or what. They are clear that they do not store my Gmail password, but say nothing else about what they do. And since many online providers have been penetrated, and since many online providers mislead users about how they respect their users' privacy (see Google's recent subversion of Safari security settings for a recent example, or Facebook's historic lack of regard for their users), it's foolish to give one service complete access to another service.

So with my Google password comes access to Gmail, Blogger, Picasa, Docs, etc. Nope, not giving that out to another service, and especially not one that doesn't explain it's intended use for said password.

Allowing Apps Access to Accounts

EFF points to an interesting article The Perpetual, Invisible Window Into Your Gmail Inbox which talks about pitfalls of allowing apps access to one's Gmail, Twitter, Facebook, etc., accounts. It's a good read, though my basic advice is don't give access to your e-mail to any app. However, with a smart phone the temptation might be great.

One of the sites mentioned there is http://mypermissions.org/. I recently deleted my Google+ account and barely use my Windows Live account, so the only account of interest there was LinkedIn. It turns out they think I had given access to two applications, an event announcement app and a survey app. They are probably both innocuous, but I was never aware of giving them access, and actually like the idea of getting rid of their useless event announcements, so I was able to disable them. Also, looking through my LinkedIn settings, I saw a number of settings that they had chosen for me by fiat, as I never would have chosen to allow e-mail from partners, for example. All that is cleaned up, but apparently bears revisiting from time-to-time.

In my Gmail account I had sharing among various Google services enabled and the ability to use my Google account to log in to some services enabled. Basically, if my Google account is penetrated, other dominoes fall.

LinkedIn Privacy Issue

Look in your LinkedIn account settings. Under Groups, Companies, and Applications there are two data sharing options, Turn on/off data sharing with 3rd party applications and Manage settings for LinkedIn plugins on third-party sites. These were enabled in my configuration, so very likely LinkedIn has decided to treat all users, by default, with little respect. This is an opt-out intrusion. I suggest people opt out.

Wait, I'm on LinkedIn and I'm talking about privacy?

Chrome: Blocking HTML Referer [sic]

It's easy to block HTML referrers in  Firefox: visit about:config and set network.http.sendRefererHeader to zero.

It's easy to block referrers in Opera: Make sure "Send Referrer Information" is unchecked at Opera | Settings | Quick Preferences

So how about Chrome? The man page is incomplete, not saying how to do this.

Googling sent me to a a Chrome extension. I have no reason to trust the author of that extension, so I looked a little more.

The answer is, surprise, in the Chrome help forum,  http://www.google.com/support/forum/p/Chrome/thread?tid=63a866565ba8664f&hl=en

The thing is, I don't usually start Chrome from the command line, and I don't recommend doing so. If Chrome (or Firefox, or Evince, etc.) are given a command shell, they dump gobs of junk to, probably, stderr. So it's necessary to change the shortcut from which Chrome starts. Gnome instructions follow; Windows instructions, untested, are here. [ Note added 2012-09-10: I think the following is incorrect and that Firefox does require an extension to block referers. Bad Firefox, bad. Original text: I do not endorse their method of blocking referrers in Firefox, as it is simply not necessary to install an extension to do this. ]

In System | Preferences | Main Menu | Internet (your system may vary) right-click on Google Chrome. Add --no-referrers to the end of the command line. Kill Chrome. Restart Chrome through the updated shortcut.

On referrers: this is from a time when the Internet was a less dangerous place. I have trouble seeing how this was ever a good idea, but now it is simply an invasion of privacy. It isn't likely that any subsequent version of HTML will drop this, but it would be nice if browsers would default to not sending referrer information.

A note on the misspelling 'referer': the word was misspelled in RFC 1945 (!996 Berners-Lee, Fielding, Frystyk), which is a bit odd since they spelled 'referred' correctly. Wikipedia says the misspelling originated in a different document, by a different author. Fielding says that neither 'referer' nor 'referrer' were in the UNIX spell program at the time. I thought by 1990 everyone was using ispell or aspell; okay I never actually thought that. Paper dictionaries weren't available at the time? I'm just happy to not have my name as prominently associated with a dumb little mistake like this. Of course, it is just a dumb little mistake.

Google Search for MyLife.com

A sampling:

• Complaintsboard.com has many people complaining that MyLife is a scam, uses false advertising, etc. I concur.
• Just say 'no' to mylife.com, http://techpaul.wordpress.com/2009/03/06/just-say-no-to-mylifecom/ . It appears that the author gave MyLife access to his e-mail accounts, and regretted it.
• Wikipedia has an article. Highlights: lawsuits against the company for e-mail spoofing. Parent reunion.com rated F by the LA BBB.
• "Mylife.com: A new tool for bargain-seeking stalkers" at http://www.socialmeteor.com/2009/02/28/mylifecom-a-new-tool-for-bargain-seeking-stalkers/ . This article goes into some detail about how MyLife is gathering and abusing PII. Recommended.
• "MyLife.com Accused of Running 'Spam-and-Scam' Scheme" http://www.walletpop.com/2011/03/02/mylife-com-accused-of-running-spam-and-scam-scheme/ discusses a lawsuit against these slimeballs (and I'm being completely objective here) in US District Court in Oakland, CA. Links are provided.
• TechCrunch talks about the birth of MyLife as a merger of reunion.com and wink.com. This corroborates much of what's in the Wikipedia article.

People Search, Phishing, MyLife, and All That

I recently wrote about getting information from the naive, though I phrased more harshly. This was at  http://martesmartes.blogspot.com/2011/04/how-to-get-personal-information-from.html. Then last week I saw a TV ad for mylife.com, offering to show a person who is searching for him or her.

First, I don't know how they can do this without the cooperation of Google or some of the alternative search engines. MyLife seems to be the same as the previously-discussed phishing sites. It asks for personal information, shows a picture of the user's neighborhood from Google Streetview, and then offers to to take a credit card number for outrageous ($13 per month and up) fees to provide results.

There is, however, an inconspicuous little link in the upper right to continue with free, limited access. I clicked. First, it took me to my profile--my fault, I entered personal info. How do I delete it? However, the page was surprising, with links to a couple family members and my ex-wife. I seriously dislike this site.

There was a link to my profile, but no option to delete. However, I was able to edit my profile, but the only meaningful field worth changing was my birthdate, which I changed to a wildly inaccurate value.

This site goes into my hosts file mapped to 127.0.0.1.

My best guess is that it the for-pay tell me who is searching for me feature, is simply internal: a record of people who have searched for me from within mylife.com. So, ultimately, it's a phishing site that thinks it's yet another redundant social media site.

Personal Data in Amazon MP3s

In December I discussed the buyer ID data that Amazon is placing in MP3 files, noted that the standard tools seem to not notice these IDs, and expressed a desire to write a script to display these IDs. See http://martesmartes.blogspot.com/2010/12/need-to-write-my-own.html and http://martesmartes.blogspot.com/2010/12/personal-information-in-amazon-mp3.html.

First, the script:

// Time-stamp: <2011-05-27 22:23:37 jdm>

// JFlex script to look for UID tags in an MP3 received from Amazon. If
// such a tag is encountered, it is displayed. Otherwise, there is no
// output.

// Compiling (assuming JFlex is installed)
//
// jflex findUID.lex
// javac Yylex.java

// Running:
//
// java Yylex <MP3 file name>

// Bugs:
//
// A left angle bracket, <, within the UID will cause the tag to not be
// displayed.
// Even though the MP3s that I have seen with UID tags have the tags
// near the beginning of the file and only one UID tag per file, this
// searches the entire (possibly long) file and will display multiple
// UIDs if found. Though this is probably not a bug, it does cause a
// perceptible delay.

%%

%standalone

%unicode
%int

openAngle  = <
uid        = UID
stuff      = [^<]+
tagEnd     = "</UID"
closeAngle = >
tag        = {openAngle}{uid}{stuff}{tagEnd}{closeAngle}

%%

{tag} { System.out.println(yytext()); return 0; }

.     { return 0; }

\n     { return 0; }

\r     { return 0; }

As mentioned in the comments, this is a JFlex script. JFlex's lineage dates back to the standard Unix lexical analyzer-building tool, lex, which was superseded by flex. JLex has been well-known in the Java community for awhile, but work on it seems to have ceased. JFlex, however, appears to be an active project (and an Ubuntu package). Of course, it works on Windows, too.  See http://jflex.de/

It turns out that Amazon informs the consumer when an MP3 will contain identifying information. I did not notice this before Michael D. pointed it out to me in January. The Amazon notice is in the product details and says "Record Company Required Metadata: Music file contains unique purchase identifier." Then they have a "Learn More" link. This is what Amazon has to say:

Record Company Required Metadata

The record company that supplies this song or album requires all companies that sell its downloadable music to include identifiers with the downloads.  Embedded in the metadata of each purchased MP3 from this record company are a random number Amazon assigns to your order, the Amazon store name, the purchase date and time, codes that identify the album and song (the UPC and ISRC), Amazon's digital signature, and an identifier that can be used to determine whether the audio has been modified.  In addition, Amazon inserts the first part of the email address associated with your Amazon.com account, so that you know these files are unique to you. Songs that include these identifiers are marked on their product detail page on Amazon.com.  These identifiers do not affect the playback experience in any way.

The idea seems to be that the record companies are requiring Amazon to put the information in, and Amazon is being honest about what's in there, though most consumers likely never see this information and never notice the link to it.

A few comments are in order.

• My script displays the UID tag and contents, but does not modify or remove it. I have no intention of providing such a script.
• People share MP3s at their own risk. As someone who has made good money developing software, I understand their need to earn a living. I even understand, though am less sympathetic toward, the RIAA's outrageous damage claims in suits. Any individual's decision to share, or not, is between him, his conscience, and the RIAA.
• The UID is the user's Amazon user ID. On the MP3s containing the UID that I have, my script displays this:  <UID version="1">martensjd</UID>. That's me. 
• Amazon says there is other identifying information embedded in the MP3. Read the statement above. So stripping this out will not be sufficient to hide the original buyer.
• I would rather not have this in my media files, but I don't object strongly enough to go through the files stripping it all out.